@renniepak discovered an issue with the MetaMask Mobile browser where it ignored content-security-policy headers set by websites. This occurred due to an error in how the application was handling web requests while trying to ensure that the MetaMask JavaScript provider was not blocked after being injected into a webpage. The MetaMask engineering team has since upgraded the MetaMask Browser to address this issue, and eliminated several complexities that would risk a similar issue occurring in the future.
https://hackerone.com/reports/1941767